Schools, Portraits, Commercial & Events Photography

Click Here to Buy Photos


Lemon Zebra Photography

General Data Protection Regulation (2018) Policy



This General Data Protection Regulation 2018 Policy ensures that Lemon Zebra complies with the data protection law and follows good practice, protecting the rights of staff, customers and suppliers, is open about how it stores and processes individuals’ data, and protects itself from the risks of a data breach. 

Lemon Zebra needs to gather and use certain information about individuals. Individuals can include customers, suppliers, business contacts, employees and other people with whom the organisation has a relationship or may need to contact. This also includes names of students and school children particularly for the production of data matched images on CD for use in schools and sales of individual, sibling and named group photographs. 

This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards — and to comply with the law. 


General Data Protection Regulation 2018 

The General Data Protection Regulation 2018 describes how organisations — including Lemon Zebra — must collect, handle and store personal information. 

These rules apply regardless of whether data is stored electronically, on paper or on other materials. 

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.


What Obligations Do Data Controllers Have? 

We adhere to the 6 principles relating to Processing of Personal Data set out in the GDPR which require personal data to be: 


At Lemon Zebra the Data Controller is Sue Young. She is responsible for ensuring the company minimises any data protection risks, knows its responsibilities and tackles any issues. 


Data Protection Risks 

This policy helps to protect Lemon Zebra from data security risks, including: 

  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Unsafe processes. The company will periodically review the processes used in order to identify and minimise the potential impact of risk within its data processing activities.
  • Ensuring accountability. Everyone who works for or with Lemon Zebra has some responsibility for ensuring data is collected, stored and handled appropriately.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data. 

Data Protection Responsibilities 

This policy helps to identify data protection responsibilities at Lemon Zebra, including:

  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data Lemon Zebra holds about
    them (also called ‘subject access requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the
    company’s sensitive data.
  • Ensuring all systems, services and equipment used for storing data meet acceptable security
  • Performing regular checks and scans to ensure security hardware and software is
    functioning properly.
  • Evaluating any third-party services the company is considering using to store or process
    data. For instance, web hosting services.
  • Approving any data protection statements attached to communications such as emails and
  • Ensuring any marketing initiatives abide by data protection principles.

General Staff Guidelines 

The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. Lemon Zebra provides training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure, by taking sensible precautions and following the guidelines below. In particular, strong passwords must be used and they should never be shared. 

Personal data should not be disclosed to unauthorised people, either within the company or externally. 

Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of. 

Employees should request help from the Data Controller if they are unsure about any aspect of data protection. 


Data Storage 

These rules describe how and where data should be safely stored. 

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason. When not required, the paper or files are kept in a locked cupboard.
Employees make sure paper and printouts are not left where unauthorised people could see them, like on a printer. Data printouts are shredded or burnt and disposed of securely when no longer required. 

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. Data is protected by strong passwords that are changed regularly. If data is stored on removable media (like a CD or DVD), these are kept locked away securely when not being used. Data is only stored on designated drives and servers. Data is backed up frequently. Data is never saved directly to laptops or other mobile devices like tablets or smart phones.

Data use 

These rules describe how and what data can be used. 

We are sent pupil information from schools in order to supply head and shoulder thumbnails of pupils to be used with and other schools management information systems. The safety of pupils in schools falls within the realm of public interest when it comes to GDPR.
The sale of school photos to parents does not fall within the realm of public interest. However the schools are required to obtain permission from Data Subjects (parents if the child is under 13, or the pupil if aged 13 or over) to allow us to hold the name, registration group, admission number and year to perform this function and it is assumed in our contract with the school that they have done this. 

The information we receive from schools is digitally transferred to the admin side of our website where it links with the pupils’ images which we have also uploaded by secure means. The headshot information is provided by Lemon Zebra to the school by secure means. Thereafter the data is used to name proof cards and to fulfil orders to the schools to make the administration of the school photo process efficient for the school and ensure parents get their orders. 

We maintain a customer relationship database with details of customers: schools, personal clients, staff and service providers. 

When working with personal data, employees ensure the screens of their computers are always locked when left unattended. Personal data is not shared informally. Personal data should never be transferred outside of the European Economic Area. Employees should not save copies of personal data to their own computers but always access and update the central copy of any data. 


Supplier Agreement / Data Sharing 

These rules describe the relationship we have with third party suppliers. 

The supplier must only act on our written instructions (unless required by law to act without such instructions). 

The supplier must ensure that people processing the data are subject to a duty of confidence. 

The supplier must assist us in providing subject access and allowing data subjects to exercise their rights under the GDPR. 

The supplier must assist us in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments. 

The supplier must delete or return all personal data to us as requested at the end of the contract 

The supplier must submit to audits and inspections, and tell us immediately if it is asked to do something infringing the GDPR 

Nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR 

The supplier must take appropriate measures to ensure the security of processing 

The supplier must only engage a sub-processor with the prior consent of the data controller and a written contract. 



Once the images have been taken the photographer transfers them directly from the camera cards to an external hard drive which is securely locked away. 



The administration is handled by Sue Young who is DBS checked. Data is stored on password protected computers within an alarmed building. 

Data is stored for varying lengths of time depending on the terms of the contract but never longer than deemed necessary. Paper copies, where held, are kept in line with standard accounting procedures to assist in dealing with any queries that may arise at a later date. Any printouts are shredded or burnt when no longer required. 

Printed images are provided by One Vision Imaging. Images are securely sent to the lab and have no data attached to them. They are referenced by a number which our system has generated. Almost all products are prepared and packed in house by Lemon Zebra with the exception of the occasional product needed urgently by a customer which may be sent direct from the lab.  On these occasions, the customer will be informed.


Online Orders 

For online photograph orders Lemon Zebra uses a bespoke cloud-based system called Pics Checkout which was developed by Hayley Lehmann Ltd. All parts of the system software are owned by Hayley Lehmann Ltd. Every image is stored securely on a Virtual Private Network and our online orders can only be accessed with a unique password. 

Hayley Lehmann Ltd’s online orders website has a DigiCert security certificate and card payments are provided by Sagepay and Worldpay who deal with the complete process of handling the card payments. This means that we do not process payment information and do not store it ourselves. The payment is transacted through Secure Server Software, which encrypts all of the information so that it can’t be intercepted. 


Subject access requests 

All individuals who are the subject of personal data held by Lemon Zebra are entitled to: 

- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations. 

If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to the Data Controller, Sue Young at A response will be provided within 28 days. 

The Data Controller will always verify the identity of anyone making a subject access request before handing over any information.


Disclosing data for other reasons 

In certain circumstances, the General Data Protection Regulation 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. 

Under these circumstances, Lemon Zebra will disclose the requested data. However, the Data Controller will ensure the request is legitimate. 

Policy prepared by: Sue Young Date: May 2018



Copyright © 2024 Lemon Zebra Photography - Web design: Silkstream